We need to provide Authz/Authn as a service. The primary consumers will be MediaWiki and other standalone services in the Wikimedia infrastructure and third party applications making use of Wikimedia sites.
There's two of major steps here
- Finalize T380: RfC: SOA Authentication. This needs to take into account the larger question of "how do we inject services into MediaWiki core in a reusable way?" and "how do we handle legacy hooks in such services?"
- Implement services based on RFC - authn first and authz second.
Stuff like OpenID and Captchas are out of scope here. A number of OAuth fixes would be in scope. Improved 2FA could follow very soon after this.